OpenSSL vulnerabilities
Published: Tue, 09 Jun 2026 17:14
Summary
Several security issues were fixed in OpenSSL.
Details
Frank Buss discovered that OpenSSL had a heap buffer over-read in ASN.1 content parsing. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or obtain sensitive information. (CVE-2026-34180) Pavol Zacik and Alex Gaynor discovered that OpenSSL incorrectly accepted PKCS#12 files with short HMAC keys when using PBMAC1. An attacker could possibly use this issue to bypass integrity checks. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-34181) Asim Viladi Oglu Manizada and Alex Gaynor discovered that OpenSSL could accept forged CMS AuthEnvelopedData messages. An attacker could possibly use this issue to bypass message authentication checks. (CVE-2026-34182) Abhinav Agarwal discovered that OpenSSL had unbounded memory growth in the QUIC PATH_CHALLENGE handler. A remote attacker could possibly use this issue to cause OpenSSL to use excessive resources, leading to a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-34183) Sunwoo Lee, Hyuk Lim, and Seunghyun Yoon discovered that OpenSSL had a NULL pointer dereference in QUIC server initial packet handling. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-42764) Mayank Jangid, Kushal Khemka, Hari Priandana, Bhabani Sankar Das, and Qifan Zhang discovered that OpenSSL had a possible NULL dereference in password- based CMS decryption. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2026-42766) Zhanpeng Liu, Guannan Wang, and Guancheng Li discovered that OpenSSL had a NULL pointer dereference in CRMF EncryptedValue decryption. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2026-42767) Alex Gaynor discovered that OpenSSL had a Bleichenbacher oracle in CMS_decrypt() and PKCS7_decrypt() with multiple RecipientInfo values. An attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-42768) Alex Gaynor discovered that OpenSSL had a trust-anchor substitution issue in CMP rootCaKeyUpdate processing. An attacker could possibly use this issue to bypass certificate trust validation. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-42769) Alex Gaynor discovered that OpenSSL used attacker-supplied parameters when validating FFC-DH peers. An attacker could possibly use this issue to weaken key validation and compromise security guarantees. (CVE-2026-42770) Alex Gaynor discovered that OpenSSL could ignore the IV in AES-OCB mode on the EVP_Cipher() path. An attacker could possibly use this issue to bypass cryptographic protections and obtain sensitive information. (CVE-2026-45445) Alex Gaynor discovered that OpenSSL had incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes. An attacker could possibly use this issue to bypass cryptographic integrity checks. (CVE-2026-45446) Thai Duong discovered that OpenSSL had a heap use-after-free in PKCS7_verify(). An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2026-45447) Zehua Qiao and Jinwen He discovered that OpenSSL had a possible heap buffer overflow in ASN.1 multibyte string conversion. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2026-7383) Bhabani Sankar Das discovered that OpenSSL had an out-of-bounds read in CMS password-based decryption. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2026-9076)
Recommended actions per Ubuntu release
StackPatch playbook auto-generated per release codename and per affected package.
Ubuntu jammy
openssl→3.0.2-0ubuntu1.25apt_upgradeStandard apt upgrade. Install 3.0.2-0ubuntu1.25 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y openssl
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl-dev→3.0.2-0ubuntu1.25apt_upgradeStandard apt upgrade. Install 3.0.2-0ubuntu1.25 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libssl-dev
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl-doc→3.0.2-0ubuntu1.25apt_upgradeStandard apt upgrade. Install 3.0.2-0ubuntu1.25 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libssl-doc
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl3→3.0.2-0ubuntu1.25apt_upgradeStandard apt upgrade. Install 3.0.2-0ubuntu1.25 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libssl3
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssl→3.0.2-0ubuntu1.25apt_upgradeStandard apt upgrade. Install 3.0.2-0ubuntu1.25 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y openssl
Most apt upgrades restart their service automatically. needrestart lists anything else.
Ubuntu noble
openssl→3.0.13-0ubuntu3.11apt_upgradeStandard apt upgrade. Install 3.0.13-0ubuntu3.11 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y openssl
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl-dev→3.0.13-0ubuntu3.11apt_upgradeStandard apt upgrade. Install 3.0.13-0ubuntu3.11 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libssl-dev
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl-doc→3.0.13-0ubuntu3.11apt_upgradeStandard apt upgrade. Install 3.0.13-0ubuntu3.11 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libssl-doc
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl3t64→3.0.13-0ubuntu3.11apt_upgradeStandard apt upgrade. Install 3.0.13-0ubuntu3.11 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libssl3t64
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssl→3.0.13-0ubuntu3.11apt_upgradeStandard apt upgrade. Install 3.0.13-0ubuntu3.11 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y openssl
Most apt upgrades restart their service automatically. needrestart lists anything else.
Ubuntu questing
openssl→3.5.3-1ubuntu3.4apt_upgradeStandard apt upgrade. Install 3.5.3-1ubuntu3.4 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y openssl
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl-dev→3.5.3-1ubuntu3.4apt_upgradeStandard apt upgrade. Install 3.5.3-1ubuntu3.4 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libssl-dev
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl-doc→3.5.3-1ubuntu3.4apt_upgradeStandard apt upgrade. Install 3.5.3-1ubuntu3.4 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libssl-doc
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl3t64→3.5.3-1ubuntu3.4apt_upgradeStandard apt upgrade. Install 3.5.3-1ubuntu3.4 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libssl3t64
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssl→3.5.3-1ubuntu3.4apt_upgradeStandard apt upgrade. Install 3.5.3-1ubuntu3.4 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y openssl
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssl-provider-legacy→3.5.3-1ubuntu3.4apt_upgradeStandard apt upgrade. Install 3.5.3-1ubuntu3.4 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y openssl-provider-legacy
Most apt upgrades restart their service automatically. needrestart lists anything else.
Ubuntu resolute
openssl→3.5.5-1ubuntu3.2apt_upgradeStandard apt upgrade. Install 3.5.5-1ubuntu3.2 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y openssl
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl-dev→3.5.5-1ubuntu3.2apt_upgradeStandard apt upgrade. Install 3.5.5-1ubuntu3.2 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libssl-dev
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl-doc→3.5.5-1ubuntu3.2apt_upgradeStandard apt upgrade. Install 3.5.5-1ubuntu3.2 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libssl-doc
Most apt upgrades restart their service automatically. needrestart lists anything else.
libssl3t64→3.5.5-1ubuntu3.2apt_upgradeStandard apt upgrade. Install 3.5.5-1ubuntu3.2 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libssl3t64
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssl→3.5.5-1ubuntu3.2apt_upgradeStandard apt upgrade. Install 3.5.5-1ubuntu3.2 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y openssl
Most apt upgrades restart their service automatically. needrestart lists anything else.
openssl-provider-legacy→3.5.5-1ubuntu3.2apt_upgradeStandard apt upgrade. Install 3.5.5-1ubuntu3.2 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y openssl-provider-legacy
Most apt upgrades restart their service automatically. needrestart lists anything else.
Are YOU affected by USN-8414-1?
5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether USN-8414-1 (and any other live CVE) applies. Anonymous, no signup.
curl https://mindsparkstack.com/scan.sh | bash
StackPatch runs this match against YOUR installed packages every hour
Free 1-server / $99 lifetime founder seat (50 only) / $19+/mo monthly. Indie pricing.